During
the Washington & Jefferson College January intersession, the students
in ITL 233: Cyberattacks performed a variety of lab exercises to explore the
properties of a variety of malware and security software. On January 26th, we
worked as a group to investigate the numerous reports (1,
2,
3)
that biometric fingerprint scanners can easily be spoofed with Play-doh, gummy
bears, and other household materials. While we believed that fingerprint
spoofing would be possible using plastic molds and latex or gelatin casts, we
wanted to confirm that a less sophisticated method would work as well.

We had two personal use fingerprint scanners available to us: the
APC Biometric
Security device and the
Microsoft Fingerprint Reader. We installed both of these devices following
the provided instructions without deviating from their default settings to mimic
the average user's installation. Two identically-configured Dell Latitude laptops
were used. Each student set up an account on each of the machines and scanned in
the fingerprint on the finger of their choice. Both devices were shown to
reliably identify all scanned fingerprints; no false positives were achieved
when scanning fingerprints that had not been registered with the system.

In order to spoof our fingerprints, a variety of materials was purchased
from Target and the local grocery store; only commonly available, inexpensive
materials were selected. Paraffin wax, specifically Gulf Wax Household Paraffin
Wax, was purchased for use in making fingerprint molds. To make casts, we had:

Play-doh

Target-brand gummy bears

Silly Putty

Elmer's Reusable Adhesive Tac 'N Stik

RoseArt Modeling Clay

Crayola Model Magic Soft, Spongy Modeling Material

Altogether, $12.82 including tax was spent to purchase these materials. A
kitchen knife, hotpot and mug were scavenged from the instructor's office for
use in cutting and heating the wax, as was scotch tape for cleaning the scanners
before a spoofing attempt.

We began by simply trying to create fingerprint casts by pressing our fingers
into the various casting materials. This simple, one-step method would have the
advantage of taking a fingerprint cast directly off the original fingerprint,
rather than off a necessarily less-detailed mold of that fingerprint. It was
quickly determined that, claims otherwise aside, gummy bears were not a
plausible material for spoofing fingerprints. None of us was able to get a
gummy bear to hold a fingerprint, either on the flat back surface, or by tearing
the gummy bear open and trying to create an impression on the softer interior.
It was theorized that perhaps a superior quality of gummy bear, instead of the
generic brand purchased, or a gummy candy with a large surface area would work
better. But for the remainder of the experiment the gummy bears became simply a
form of sustenance.

The other materials were all able to hold a fingerprint
well, with the only observations being that the Tac 'N Stik perhaps held a
fingerprint too easily, requiring very careful handling. The best method
found was to flatten and smooth it between two sheets of paper, lift the top
paper and make a fingerprint impression on the top surface, and then use the
lower paper to move the Tac 'N Stik and press it into the fingerprint scanner.
Without using this or a similar technique, the original fingerprint impression
would inevitably be merged with another print created in the manipulation of the
cast. Team Bill observed that a pliable material that could hold a mold without
picking up every fingerprint would be needed for successful spoofing.

None of the efforts to spoof the scanners using a direct impression of the
fingerprint was successful. In many cases the scanner would not even register
that a fingerprint was present to scan (the software bundled with each scanner
includes a visual cue that it is attempting to read a fingerprint; this cue also
visually indicates whether a fingerprint matching one registered with the system
has been found). Both devices attempted to read the Play-doh impressions, and
some people were able to get them to do so consistently, but the impression was
never identified as a registered fingerprint.

The software supporting the APC scanner was particularly useful, as it would
display the fingerprint image it was attempting to match on the screen. A visual
inspection suggested that these fingerprints were comparable in detail to an
actual fingerprint scan. It was concluded that the mirror image obtained from a
direct impression of the fingerprint was not going to be sufficient to spoof the
scanners, and that an impression would have to be taken from a mold in order to
have a comparable fingerprint to present to the scanner.

To make a fingerprint mold using inexpensive, widely available materials, we
elected to use wax. A mug was placed inside a hot pot, over an inch or two of
boiling water, and small chunks of paraffin wax were placed in the mug, before
placing the hot pot lid over the entire contraption. This jury rigged double
boiler was quite successful in softening the wax. It was found that unless the
wax was well softened, it would crack and not hold a fingerprint impression
well.

Initially, the wax-based mold technique appeared to be less successful than
the direct impression technique. The wax did not appear to hold a sufficiently
detailed impression, and even after a brief rest in the freezer of the
departmental fridge, the wax was found to be too malleable to hold up to the
pressure necessary to make a good cast, particularly when using the Tac 'N Stik,
which was the firmest of the materials used. The Silly Putty was found to be the
most sensitive to taking an impression, even under only moderate pressure
against the mold. However, Silly Putty was found to cling to the fingerprint
scanners, particularly the slightly gummy surface of the Microsoft device, and
was quickly dismissed as unsuitable for the task. At this point, only the Play-doh,
modeling clay, and modeling material were considered plausible for spoofing
fingerprints.

Six teams worked on creating molds and casts, with five teams meeting with no
success and concluding eventually that rumors of Play-doh being usable for this
task were unfounded. It was conjectured that the casting might have been more
successful had the Play-doh been slightly less fresh and thus slightly firmer.
As it was, the Play-doh was found to be too soft to hold up to the pressure
necessary against the scanners, while the modeling clay and modeling material
was too firm to make a good impression against the delicate molds. Team Tuff
was able to get the scanners to attempt to identify their spoofed fingerprints using
modeling clay but did not get any positive identifications, it seemed due to
deformation of the clay when pressed against the scanner; they theorized that
putting the actual fingerprint cast in the freezer before using it might have
helped. Despite these failures, a
sixth team, Team 1337, employed a more time consuming strategy than the
other teams which ended up meeting with success.

Team
1337 created a fingerprint mold by first taking a very soft piece of wax
and flattening it against a hard surface until approximately a quarter-inch thick.
They then pressed the finger to
be molded into the wax firmly for over 5 minutes, making a deep, well-defined
impression. The wax was then transferred to the freezer for 10-15 minutes until
quite hard and slightly frozen. The team focused on spoofing the Microsoft
device, citing the larger flat surface for scanning, as compared to the smaller
recessed scanning area of the APC device that required deformation of the cast
in the process of scanning. After trying the various materials available, the
team concluded that the Crayola modeling material was the most suitable, holding
a cast well while being firm enough to hold up to the significant pressure
necessary when using the Microsoft device.

By
firmly pressing the modeling material into the wax mold, a cast was made
that, when pressed against the scanning surface on the Microsoft device, was
identified as the fingerprint of the team member upon whom the mold was made.
These results were replicated twice using the wax mold, at which point it became
clear that even after freezing, repeated casting degraded the detail of the mold
such that it was no longer useful. The result was replicated with a second mold,
made in the same manner, again using the Crayola modeling material.
This second
trial is shown in the avi video file here. You can see the modeling material
being pressed into the wax mold, and then being pressed against the Microsoft
scanner a few times. You can tell that the spoof was successful when the
biometric software's "One Touch Menu" pops up in the lower right-hand corner of
the screen. A close-up of that menu is show here. Using this technique, they
were able to successfully spoof the Microsoft reader approximately a third of the
time.

At the same time a third mold, following the
approach of the other teams of pressing a finger into a lump of wax, was
created. This mold was found to not produce satisfactory casts; it appears that
creating a mold in a smooth, flat piece of wax is required.

Following this success, Team 1337 turned their approach against the APC
device. Given the recessed scanning surface, the approach used on the Microsoft
scanner was not successful. It was noted, though, that the APC scanning surface
requires significantly less pressure to register a fingerprint than the
Microsoft scanning surface. Given that, the Play-doh was chosen as the casting
material, and before a fingerprint impression was made, the Play-doh was first
pressed into the APC scanner. When removed, the Play-doh was shaped to the
scanner, with a flat surface at the tip corresponding to the scanning surface.
This flat tip was pressed into the wax mold, and the Play-doh cast was then
pressed back into the APC scanner. It was found that light pressure needed to be
employed and that patience was required while the scanning surface took longer
than normal to register and register the fingerprint.
However, following this
technique, multiple successful spoofs were achieved until, again, the mold
appeared to soften too much to allow an accurate cast. Video of one of these
trials is shown in this avi file. You will see that the laptop has been
locked, the cast is held against the scanner, the scanning feedback window shows
an image of the fingerprint that has been found which will eventually turn green
(as seen to the left), and then the login prompt will clear and the computer
will be unlocked.

Based on these two results, we conclude that it is possible to spoof a
personal-use fingerprint scanner using inexpensive household materials. However,
a few additional observations are worth making:

When using Crayola Model Magic, one must move quickly, as the material
becomes firm and then brittle quite quickly. One could not expect to use it to
make a cast significantly ahead of the time at which it was to be used.

In order for the process to succeed, a very high quality mold is required.
Beyond the freezing time, a fingerprint impression in pre-smoothed very soft
hot wax using significant pressure is required. As was noted by Team 1337, it
is unlikely that such a mold can be acquired casually from an individual for
the purposes of stealing their fingerprint. It has been suggested by a
colleague, however,
that a fingerprint impression made in half-dry fingernail polish and then
allowed to harden completely might be a suitable alternative.

The fingerprint being spoofed was a thumb print, offering a large, and
predominantly flat, surface to cast against. It is likely that this aided in
the molding and casting process. Future work might test the procedure outlined
above when used to spoof thumbprints, index fingerprints and pinky
fingerprints.

It should also be noted that, following a standard installation, the biometric
devices looked at served a convenience purpose, allowing a fingerprint to stand
in for a password, but fingerprint authentication was not required in addition
to a password. The increased security would come from the increased likelihood
that users would pick sufficiently long and complex passwords and not write those
passwords down if they could use a biometric device to store and retrieve those
passwords as needed. There is implicit in such a system, though, that the user
will come to rely on the device and, in the case of device failure, be unable
to remember the passwords normally retrieved by the biometric device.